REvil seems to be back again. The servers on the Tor network that the hacker group used to distribute its malware are back online. The website lists dozens of pages of victims.
This is evident from screenshots taken by various security researchers, BleepingComputer writes.
REvil is back
REvil is a hacker group operating out of Russia. The group is known for extorting victims with ransomware. With this ransomware, they copy confidential and company sensitive information and place these files under lock and key with their victims. This data is only accessible again if the victims pay a ransom. Some prominent victims of the hacker collective were money exchange office Travelex, meat producer JBS, and ICT service provider Kaseya.
Investigation and enforcement agencies took a hard line against the Russian hackers. Last summer it seemed as if REvil had disappeared from the face of the earth. Websites on the dark web and the regular internet had spontaneously gone black. The help desk was also no longer available. Finally, Unknown, the spokesperson for the hacker group, was banned from the XSS hacker forum.
In September 2021, the Tor payment site and the Happy Blog – where victims can negotiate the amount of the ransom – were suddenly up and running again. There were also new ransomware attacks at that time. A month later, the FBI said it had taken REvil’s entire infrastructure offline. Several leaders were arrested in the US, Germany and even Russia.
New victims and distribution key
That was the end of exercise for REvil. Or not? Cybersecurity experts say the hacker group is active again. Their new website is frequently mentioned on RuTOR, a forum that focuses on Russian-speaking hackers. Although the site is hosted from a different domain, it redirects visitors to the original site REvil used before it was taken offline.
REvil promises on the site that the ransomware that the hacker group uses has received an update. The group also uses a new distribution key for its revenues. Whoever uses REvil’s ransomware to carry out cyberattacks will receive an 80/20 share. Hackers who rent out their ransomware to cybercriminals to carry out digital attacks are also known as Ransomware-as-a-Service (RaaS).
Several security researchers and tech site BleepingComputer confirm that REvil’s website contains 26 pages of victims. In their own words, there are mainly old victims in the list, but also a number of newcomers. One of these is Oil India.
Experts say REvil’s website likely went back online sometime between April 5 and 10. The site had no content at the time. The Happy Blog and page where victims can pay ransom are now up and running again.
The security experts are somewhat sceptical about whether REvil is behind this. Whoever launched the websites did not mention any name or affiliation with REvil. In order to determine with certainty that the Russian hacker group has ‘risen from the dead, the malware of new victims must be analyzed.
On the Russian forum RuTOR, members speculate that the new site is a ruse by investigative services to track down and arrest hackers. We call that a honeypot. If REvil is indeed responsible for the relaunch of the sites, it still has a long way to go to regain the trust of the community, some forum members say.
Catch up on more articles here
Follow us on Twitter here